UK ISP TalkTalk Criticised for Questionable Router Security Advice

Last week several broadband ISPs in the UK were attacked by a new Internet worm called Mirai (here), which hijacked their routers. TalkTalk’s older DSL-3780 was one of the devices to be hit and the ISP was quick to patch the problem, but oddly they have not advised customers to change WiFi passwords.

A number of reports, including ours, warned that the vulnerability exploited by Mirai could also be used to steal the WiFi password for infected networks. TalkTalk’s firmware fix also resets this password back to the default, although most people never change the default (note: the password tends to be different for every router that TalkTalk sends out).

Admittedly a hacker with knowledge of this password would still need to a) know where your network is in the real-world (they could in theory get this by snooping on your Internet traffic) and, b) be sitting within its coverage in order to access it (e.g. right outside your house). All of this does rather limit the risk, but never the less it would be good practice for the ISP to recommend that customers change the default WiFi password.

However this isn’t what TalkTalk have been telling customers to do.

TalkTalk’s Security Update

As is widely known, the Mirai worm is an industry issue impacting many companies around the world, and a small number of you may have been affected.

We can reassure you that there’s no risk to your personal information as a result of this router issue, and there’s no need for you to reset your wifi password. However if you’ve any concerns you can follow these step by step instructions to change your wireless name and password.

Understandably anything that can hijack your router and snoop on your Internet traffic, as well as potentially steal your WiFi password, does in fact place a very obvious risk upon your personal information. Suffice to say that more than a few security experts have been surprised by TalkTalk’s “advice” and so are we.

Pen Test Partners Statement

Most routers are made in the far east, most of the affected routers have components in them made by a group of companies called Ralkink / Econet / Mediatek. No-one is certain, but some think that the manufacturers of the routers had software written for them that didn’t secure the ‘TR-064’ protocol correctly.

The ISPs should have done a better job of checking their routers before sending them to customers. The manufacturers should have had the software written securely in the first place.

The TR-064 issue has been known about for a while, though until recently few realised just how serious it was. Until someone started building the bot-net and peoples routers stopped working, few were taking this seriously.

We run what’s called a ‘honeypot’ router – this is a piece of software that looks like one of these routers and helps us monitor odd activity on the internet. When we saw weird requests, we realised that peoples Wi-Fi keys and worse could be stolen. That’s when we realised just how serious this issue is.

Go and check your router now, update it and change your Wi-Fi keys urgently. Hopefully ISPs will realise the error of their ways and replace the routers too.

Whilst you’re at it, make sure you us a password manager and always use two step verification when logging in to web sites and apps.

So far the only UK providers to have admitted being hit are TalkTalk, KCOM and the Post Office, although there may be others and Mirai could conceivably be adapted to hit a wider range of devices in the future. As such we’ve been calling on all ISPs that supply their own routers to take a pro-active approach towards ensuring that the same style of attack cannot hurt them in the future. Likewise customers with third-party routers would do well to check for a new firmware update, just in case.

Meanwhile the BBC claims that they’ve been contacted by someone who said he had access to a database of 57,000 router IDs (SSID / MACs) and passwords, which had been scraped before any fix had been rolled out. A sample of 100 were sent to the BBC and TalkTalk confirmed the details, but the ISP said that they haven’t “seen anything to suggest that there are 57,000 of them out there.”

Surely 100 is enough of a warning and just when we thought TalkTalk had turned a corner after last year’s cyber-attack. When it comes to security, a little paranoia is a good thing. Change the WiFi password.